Fix: fix auto-close after giving a document away

src-ui/src/app/components/document-detail/document-detail.component.spec.ts

@@ -1,5 +1,9 @@
 import { DatePipe } from '@angular/common'
-import { provideHttpClient, withInterceptorsFromDi } from '@angular/common/http'
+import {
+  HttpErrorResponse,
+  provideHttpClient,
+  withInterceptorsFromDi,
+} from '@angular/common/http'
 import {
   HttpTestingController,
   provideHttpClientTesting,
@@ -503,7 +507,7 @@ describe('DocumentDetailComponent', () => {
     const updateSpy = jest.spyOn(documentService, 'update')
     const toastSpy = jest.spyOn(toastService, 'showInfo')
     updateSpy.mockImplementation(() =>
-      throwError(() => new Error('failed to save'))
+      throwError(() => new HttpErrorResponse({ status: 403 }))
     )
     component.save(true)
     expect(updateSpy).toHaveBeenCalled()

src-ui/src/app/components/document-detail/document-detail.component.ts

@@ -824,11 +824,13 @@ export class DocumentDetailComponent
         },
         error: (error) => {
           this.networkActive = false
-          if (!this.userCanEdit) {
+          if (error.status === 403) {
+            // e.g. document was 'given away'
+            this.openDocumentService.setDirty(this.document, false)
             this.toastService.showInfo(
               $localize`Document "${this.document.title}" saved successfully.`
             )
-            close && this.close()
+            this.close()
           } else {
             this.error = error.error
             this.toastService.showError(

src/documents/tests/test_api_documents.py

@@ -262,6 +262,34 @@ class TestDocumentApi(DirectoriesMixin, DocumentConsumeDelayMixin, APITestCase):
         response = self.client.get(f"/api/documents/{doc.pk}/thumb/")
         self.assertEqual(response.status_code, status.HTTP_200_OK)
 
+    def test_document_given_away(self):
+        """
+        GIVEN:
+            - Document with owner
+        WHEN:
+            - Document is update and given away
+        THEN:
+            - 403 Forbidden is returned
+        """
+        non_superuser = User.objects.create_user(username="test")
+        non_superuser.user_permissions.add(*Permission.objects.all())
+        self.client.force_authenticate(user=non_superuser)
+
+        doc = Document.objects.create(
+            title="none",
+            checksum="123",
+            mime_type="application/pdf",
+            owner=non_superuser,
+        )
+
+        response = self.client.patch(
+            f"/api/documents/{doc.pk}/",
+            {"owner": self.user.id},
+            format="json",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
     @override_settings(FILENAME_FORMAT="")
     def test_download_with_archive(self):
         content = b"This is a test"

src/documents/views.py

@@ -580,15 +580,24 @@ class DocumentViewSet(
 
     def update(self, request, *args, **kwargs):
         response = super().update(request, *args, **kwargs)
+        try:
+            doc = self.get_object()
+        except Http404:
+            # if we get this far document it was probably 'given away'
+            doc = Document.objects.get(id=kwargs["pk"])
+
         from documents import index
 
-        index.add_or_update_document(self.get_object())
+        index.add_or_update_document(doc)
 
         document_updated.send(
             sender=self.__class__,
-            document=self.get_object(),
+            document=doc,
         )
 
+        if not has_perms_owner_aware(request.user, "change_document", doc):
+            return HttpResponseForbidden("Insufficient permissions")
+
         return response
 
     def destroy(self, request, *args, **kwargs):